Switchport security, but at layer-3

Unanswered Question
Jun 17th, 2008

I know I can implement layer-2 port security on my 4500 switches. That is, I can arrange it so that if a user connects a foreign device to the port, the port goes into errdisable.

What I want to do is the same thing at layer-3. From time to time, users try to attach foreign network-aware devices such as PDAs to the USB port of their PCs. Sometimes these devices try (unsuccessfully) to do a DHCP, and sometimes they seem to just appear on the network as 169.254.2.2 or 192.0.0.192. But they always use the MAC address of the PC.

What I want is for the port to get shut down if the host generates a DHCP, or if the port sees packets from any address in 169.254.0.0/16. Does anyone have a way to do that?

Kevin Dorrell

Luxembourg

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Kevin Dorrell Fri, 06/20/2008 - 04:58

Giuseppe,

Thanks, I shall read that chapter over the weekend and let you know if it fitts the bill.

Kevin Dorrell

Luxembourg

Kevin Dorrell Mon, 06/23/2008 - 23:26

Giuseppe,

Thanks. I read the doc over the long weekend (we had a national holiday for the Grand-Duke's official birthday).

The feature doesn't fit the bill 100% beceause it does not actually disable the port when there is a violation. That is, it is the layer-3 eqivalent of "restrict", but not "shutdown".

However, it does go a long way towards addressing my problem, and it also shows me a fun feature to try out in the lab!

Thanks.

Kevin Dorrell

Luxembourg

Actions

This Discussion